Operations // Identity & Access Management
1/29/2014
09:08 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 11:03:20 AM
Re: Too optimistic about multi-factor authentication 'by force'
That might work for me if my cat cooperates!
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:58:57 AM
Re: Too optimistic about multi-factor authentication 'by force'
"I tried once and forgot the password" - GASP!

One person submitted this method of never losing the password: He had the password embossed on a dog tag that was then placed on the neck of his Doberman.  How's THAT for a level of security?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:49:40 AM
Re: Too optimistic about multi-factor authentication 'by force'
You make a good point about the Lost / Stolen / Broken / Drowned device. As for password managers, (embarassingly painful admission) I tried one once and then forgot the password. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:45:37 AM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

I agree in part with the statement that "everyone" has a cell phone, but in the many years that I have been working supporting those mobile devices, the Lost / Stolen / Broken / Drowned devices exceeds the number of retained devices.

No one can afford to carry two phones simply to have a backup for authentication, but for a small fee, one can register multiple Yubikey devices on the same account. 

I hope you don't mind my constant mention of the Yubikey device, but it just seems to work perfectly when coupled with the correct password manager.

Password manager??  That is a topic of another discussion ...

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:08:15 AM
Re: Too optimistic about multi-factor authentication 'by force'
Bob, I think the ubiquitous cell-phone is perfect as a Multi-factor authentication device. Everyone has one! What's your issue with them. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:05:50 AM
Re: Too optimistic about multi-factor authentication 'by force'
So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.

Clement, I can't disagree with your argument about the ROI on security investements. It's the reason Target backed backed off its endorsement of smart cards a decade ago. But just last week Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. Will anything change? I don't know but I certainly hope so. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 12:18:24 PM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

Two things are different now: First is the amazing volume of compromises that we have been witnessing.
Second: up until a few years ago, most folks did not carry a 2nd Factor authenticator with them. 
I am not a strong supporter of the cell-phone as a multi-factor device, but one cannot deny the behavioral change it has caused. I am challenged to find anyone who is without a cell-phone.
(I prefer a one-time-password generator such as the Yubico Yubikey - smaller than a cell phone and way more durable, but not in universal use YET.)
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 11:59:26 AM
Re: Too optimistic about multi-factor authentication 'by force'
Clement:

Thanks for your thoughful response.

I am confident that the USA will soon be changing their credit card technology, as there will start to be a public outcry.  The idea that a person cannot buy something as simple as a pair of socks at Target, or a glue stick at Michael's without putting their identity at risk will begin to have an impact.  There I go being an optimist again!

For any of the readers who are not familiar with Clement, he is a MASTER at security-related information.  His tireless efforts at educating others is legendary, and his web site is an essential tool for anyone who wants to pass any InfoSec Exam.  https://www.cccure.com/cart/

I am flattered and honored to be in such good company!

 
clementdupuis
50%
50%
clementdupuis,
User Rank: Apprentice
1/29/2014 | 10:44:02 AM
Re: Too optimistic about multi-factor authentication 'by force'
Good day Bob,

The problem is not one of technology, the problem is one of attitude toward security.

Security should be risk based, however today in the USA it is based on  total loss versus cost of doing things right.   So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.


The use of taken based authentication tools have been used in Europe for years, I am talking more than a decade in most countries.  It is only catching up in North America.

We bitch about card theft, but yet we still dont have chip enabled cards which would greatly help in such cases.   Once again cost of card replacement versus potential losses. 

Answering your question:  What has changed?  When I look at computer security nothing has changed and it is unlikely to change quickly in the future.  History is repeating itself over and over again.  You just change the name of the company that was the victim and the reminder of the text would still apply.


Best regard

Clement

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 10:32:31 AM
Re: Too optimistic about multi-factor authentication 'by force'
I think multi-factor authentication for consumers is a good idea, and mobile phones make it easier because that can serve as a second factor (the standard user-name/password is something you know, and the phone is something you have). The provider can send a text message with a code that the user can enter into a site, whether as part of the log-in or for something like requesting a password change. It's not perfect, but it's much more manageable for the consumer than having to juggle a bunch of hardware tokens or waiting for every computing device to come with a fingerprint reader.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.